EUVD-2026-13935
GHSA-3p2x-hjxj-c7rv
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
Lifecycle Timeline
5Description
OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution where the cwd parameter is validated at approval time but resolved at execution time. Attackers can retarget a symlinked cwd between approval and execution to bypass command execution restrictions and execute arbitrary commands on node hosts.
Analysis
OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use (TOCTOU) vulnerability in the approval-bound system.run execution function where the current working directory (cwd) parameter is validated at approval time but resolved at execution time, allowing attackers with local access and limited privileges to retarget symlinked directories between approval and execution to bypass command execution restrictions and execute arbitrary commands on node hosts. The vulnerability has a CVSS score of 6.5 with medium attack complexity but high integrity and availability impact, making it a notable local privilege escalation vector that requires user interaction in the approval workflow.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today